Anthropic and Mozilla: Claude Found 22 Firefox Vulnerabilities in Two Weeks

Most AI safety announcements are marketing dressed as philosophy. This one is different. In February 2026, Anthropic deployed Claude Opus 4.6 against the Firefox browser’s 6,000-file C++ codebase, and the model found 22 security vulnerabilities — 14 of them high-severity — in under two weeks. Those fixes shipped to hundreds of millions of Firefox users in version 148.0. That’s not a demo. That’s a production security operation run largely by an AI, and it changes the calculus on what AI is actually useful for in the real world.

The Anthropic-Mozilla partnership is one of the clearest examples yet of AI doing genuinely hard technical work that humans struggle to scale. Security audits of complex codebases are expensive, slow, and depend on a thin talent pool of researchers who know how to find memory corruption bugs in decades-old C++ code. Claude just compressed weeks of expert work into a $4,000 API bill.

What Actually Happened

Over two weeks in February 2026, a team of Anthropic researchers partnered with Mozilla to run Claude Opus 4.6 against Firefox’s source code with a specific mandate: find exploitable security vulnerabilities. The scope was large — nearly 6,000 C++ files covering the JavaScript engine, the browser’s rendering pipeline, and other core components.

The results were striking:

• 22 vulnerabilities discovered across the codebase
• 14 classified high-severity by Mozilla’s own security team
• 112 unique reports submitted with supporting evidence
• All 14 high-severity fixes shipped in Firefox 148.0

That 14-vulnerability haul represents almost a fifth of all high-severity Firefox vulnerabilities remediated in all of 2025, in a single two-week engagement. For context, finding a single high-severity browser bug typically requires days of focused human effort from a specialized security researcher.

How Claude Worked Through the Code

The methodology matters here. Rather than dumping the entire codebase at Claude and asking “find bugs,” the Anthropic team structured the engagement carefully.

Claude started with Firefox’s JavaScript engine — SpiderMonkey — as an isolated, analyzable slice. The rationale was sound: JavaScript engines are historically fertile ground for memory safety bugs, they have well-understood attack surfaces, and the code is complex enough to reward systematic analysis.

Within 20 minutes of beginning analysis on SpiderMonkey, Claude identified a Use After Free (UAF) memory vulnerability. UAF bugs are a class of memory corruption error where code accesses memory after it has been freed, potentially allowing an attacker to control what data gets read or written. In a JavaScript engine that processes untrusted web content, a UAF is the kind of bug that ends up in a nation-state’s exploit toolkit.

From there, Claude worked methodically across the codebase. For each potential vulnerability it identified, it produced:

• A minimal test case that triggers the issue
• A detailed proof-of-concept explaining the bug
• A candidate patch addressing the root cause

That last point is significant. Most security scanning tools stop at “here’s the bug.” Claude came with proposed fixes — a very different level of output that compresses the remediation cycle considerably.

The Exploitation Test

Anthropic also tested whether Claude could actually exploit the vulnerabilities it found — a critical question for evaluating real-world risk. The results were instructive.

Out of several hundred exploitation attempts, Claude succeeded in only two cases. Crucially, those working exploits functioned only in testing environments stripped of modern browser security features — the sandbox, ASLR, and other mitigations that Firefox ships by default. Against a hardened production browser, Claude’s exploit capability was essentially nil.

This is actually the right answer. It means Claude can find the vulnerabilities that matter (the bugs are real) without currently being able to weaponize them against defended systems. That’s a defensible dual-use boundary, at least for now.

How to Apply This Approach

If you’re a security engineer, developer, or organization running your own codebase audit, the Anthropic-Mozilla engagement provides a clear operational template. Here’s how to replicate it:

1. Scope to a high-value slice first

Don’t attempt to audit an entire codebase in one pass. Pick the component with the highest attack surface exposure — input parsing, memory management, authentication — and start there. Claude (or any capable LLM) performs better with focused scope.

2. Use task verifiers

One of the explicit best practices Anthropic shared: deploy tools that let the AI check its own work independently. For vulnerability research, this means setting up a test harness where Claude can run its proposed test cases and confirm the bug triggers before submitting. This dramatically reduces false positives.

3. Require automated regression testing

For every candidate patch Claude proposes, run your existing test suite automatically to confirm the fix doesn’t break existing functionality. This catches the common failure mode where a security fix introduces a regression.

4. Demand full evidence packages

Don’t accept “there’s a bug here” as output. Require minimal reproducible test cases, proof-of-concept code, and candidate patches. This is what makes the output actionable rather than advisory.

5. Follow Coordinated Vulnerability Disclosure

Anthropic and Mozilla followed CVD principles throughout — Anthropic validated findings independently before submission, Mozilla triaged and fixed before public disclosure. If you’re running similar engagements against third-party or open-source code, the same principles apply: don’t publish before patches ship.

6. Budget realistically

The entire Firefox engagement cost approximately $4,000 in API costs. For 14 high-severity vulnerability fixes, that’s a startling cost-per-finding. Against a commercial codebase audit that might cost $50,000–$150,000 for the same scope, the economics are hard to ignore.

Practical Use Cases

The immediate applications extend well beyond one-off browser security work:

Open-source maintainers with limited security budgets can run periodic AI-assisted audits against their C/C++ codebases at a fraction of traditional pen-testing costs. Projects like OpenSSL, Linux kernel subsystems, or game engines are obvious candidates.

Enterprise security teams can integrate LLM-assisted vulnerability scanning into CI/CD pipelines — not replacing manual review, but triaging the most promising areas for human attention before a full audit.

Bug bounty researchers can use similar workflows to pre-screen large codebases before committing days of human effort, letting Claude surface the highest-probability targets.

Software vendors preparing for compliance audits (SOC 2, ISO 27001, PCI DSS) can use AI-assisted code review to identify and remediate issues before external auditors arrive, reducing both cost and surprise.

How This Compares to Competitors

OpenAI has talked about AI for cybersecurity in general terms, and Google’s DeepMind has published academic work on AI-assisted fuzzing (notably in 2024 when OSS-Fuzz integrations found real bugs). But neither has demonstrated a structured, end-to-end partnership with a major open-source project at this scale, with verifiable results shipped to production users.

Microsoft’s Security Copilot is the most direct commercial competitor — it’s an LLM-powered tool explicitly designed for security operations. But Security Copilot is primarily oriented around threat detection and incident response, not offensive vulnerability discovery in source code. That’s a different product for a different part of the security stack.

Google’s Project Zero remains the gold standard for elite human-driven browser vulnerability research. But Project Zero is a small, expensive team of world-class experts. The Anthropic-Mozilla engagement suggests a path to scaling that kind of work horizontally — not replacing Project Zero’s depth, but covering far more surface area per dollar.

The honest comparison: this is the most publicly documented, production-verified AI security research engagement any major AI lab has published. The bar clears by default because others haven’t attempted to verify anything similar at this scope.

The Honest Take

Here’s what’s genuinely impressive: the throughput. 6,000 files, 112 reports, 22 confirmed vulnerabilities, 14 high-severity, two weeks, $4,000. Any one of those numbers in isolation would be interesting. Together, they represent a meaningful compression of security research economics.

The Use After Free finding within 20 minutes is also legitimately impressive — UAF bugs in JavaScript engines aren’t simple to spot. They require understanding memory ownership semantics across complex code paths. That Claude could identify one faster than a human researcher could spin up a development environment suggests real understanding of the bug class, not pattern matching on obvious signatures.

What shouldn’t be overhyped: Claude currently cannot reliably exploit what it finds against modern hardened targets. Two successful exploits out of several hundred attempts, in stripped-down test environments, is a long way from “AI can now attack production systems.” The exploitation gap remains large, and Anthropic is appropriately transparent about this.

There’s also a question of false positive rate that the announcement doesn’t fully address. 112 reports for 22 confirmed vulnerabilities implies a roughly 80% false positive rate — useful as triage, but requiring significant human validation time. At scale, that human-in-the-loop requirement could be a bottleneck.

Finally: this was Claude Opus 4.6 running against a well-known, extensively studied codebase with a lot of historical vulnerability data in its training. Generalizing these results to a novel, proprietary codebase in an obscure language is a bigger leap than the press release implies.

What This Means for AI Users

If you work in software security, this partnership is the most concrete evidence yet that LLMs are becoming genuine tools in the offensive security workflow — not assistants that help write reports, but systems that find real bugs. The economics alone suggest that AI-assisted code auditing will be standard practice within two years.

For everyone else, the more important implication is philosophical. Anthropic is demonstrating that “AI safety” doesn’t have to mean AI that only does safe things — it can mean AI that actively makes infrastructure safer. Finding and patching 14 high-severity Firefox vulnerabilities before bad actors do is a concrete safety contribution, measured in the hundreds of millions of users who didn’t get exploited.

The Mozilla partnership is a proof of concept for a model of AI deployment that’s been mostly theoretical: AI as a force multiplier for the defenders, not just a tool that attackers can also misuse. Whether Anthropic can replicate this at scale across other major open-source projects — and whether the economics hold when the codebases get less familiar — is the question worth watching.

One engagement doesn’t prove a revolution. But it’s a more honest proof of work than most AI capability claims get.